Cyber Incident Victim: City of Fort Worth
Date:
Jun 2023
Location:
United States of America
Summary
The City of Fort Worth experienced a website breach where threat actors gained unauthorized access to an internal system used for managing maintenance work orders. The attackers, who sought to make a political statement, exfiltrated and posted data including work order attachments, photos, spreadsheets, and internal emails. Officials confirmed the compromise did not impact the public website and stated there was no evidence that sensitive resident, business, or employee information was accessed. Forced password resets were implemented, and an investigation with law enforcement is ongoing.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 3 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On June 22, 2023, the City of Fort Worth, Texas, experienced a cybersecurity incident involving unauthorized access to its systems. The initial detection of the breach occurred around 4:00 p.m. that Friday when the Texas Department of Human Resources notified Fort Worth officials. The state agency had identified a post made by the threat actors claiming they had successfully gained access to city data by hacking the website. This external notification prompted the city to immediately initiate its incident response protocols. Officials, including Chief Technology Officer and IT Solutions Director Kevin Gunn, began an assessment to understand the nature and scope of the unauthorized access.
The investigation revealed that the threat actors had compromised login credentials for the city's internal "view work system." This system is an internal website used by multiple departments, including Transportation and Public Works, Park and Recreation, and the Property Management Department, for managing maintenance work orders. The attackers used these stolen credentials to gain entry and subsequently exfiltrate data. The compromised information consisted entirely of data associated with these maintenance work orders. Specifically, the exfiltrated data included file attachments to the work orders, such as before and after repair photographs, spreadsheets, invoices for completed work, emails between city staff members, PDF documents, and other related administrative materials. The attackers then publicly posted a selection of this data online to support their claim of having breached the city's systems.
City officials were able to quickly verify that the data posted by the hackers did not originate from the city's public-facing website. They confirmed that the source was the separate, internal work order management system. Furthermore, the investigation, which involved computer forensic experts, found no evidence that any sensitive personal or financial information was accessed or exfiltrated. Officials stressed that there was no indication that social security numbers, credit card information, banking details, or any other sensitive data belonging to residents, businesses, or city employees was compromised. The scope of the incident was contained to the non-sensitive operational data within the specific work order system that was targeted.
The motive behind the attack appeared to be aimed at making a political statement rather than financial gain. Officials pointed to the content of the post made by the hackers, which alluded to an intent to embarrass the city. The attackers' actions were characterized as an effort to use the exfiltrated internal documents to cause reputational damage or make a political point, rather than to steal valuable data for monetization.
In immediate response to the incident, the City of Fort Worth implemented containment measures to prevent any further unauthorized access. All user accounts associated with the compromised system were forcibly logged out, and a mandatory password reset was enforced for everyone with access to the view work system. This action was taken to invalidate the stolen credentials and secure the account access points. The city's technology team worked to ensure the integrity of other systems while the forensic review was ongoing.
The response effort extended beyond internal actions. The City of Fort Worth engaged with federal and local law enforcement agencies to report the breach and assist in the investigation. The collaboration with external computer forensic experts continued to conduct a thorough review of the city's systems. The objective of this digital forensic analysis was to fully understand the depth and scope of the incident, including the exact method of initial access, the extent of data viewed or taken, and to ensure no persistent threats remained within the network.
Throughout the public disclosure of the event, city officials maintained a focus on transparency regarding the known facts while also reassuring the public about the limits of the data exposure. A press conference was held on Saturday, June 23, to inform the public and address concerns. Kevin Gunn, the Chief Technology Officer, emphasized that the city's primary concern was protecting the interests of residents, businesses, and employees. He stated that decisions were being made with their best interests in mind and that the city would continue to protect them to the extent possible. The confirmed impact of the incident was limited to the potential embarrassment from the release of internal city documents related to maintenance work, with no direct financial or identity theft risk to individuals arising from the breach. The consequences were therefore primarily operational and reputational, necessitating a public response to manage confidence and demonstrate control over the situation. The investigation remained active to confirm these initial findings and ensure the security of the city's digital infrastructure was fully restored.